From 8723cbec53d8a7e95062ab18406cbf3c93c49b93 Mon Sep 17 00:00:00 2001 From: Fiscal Velvet Poet Date: Sat, 29 Apr 2023 21:31:49 +1000 Subject: [PATCH] ragenix: migrate forgejo to agenix for secrets progresses #1 resolves #11 --- nixos/hosts/toscano/configuration.nix | 13 ++++++++++--- outputs.nix | 10 +++++----- profiles/forgejo.nix | 11 +++++++---- secrets/forgejo.age | 11 +++++++++++ secrets/secrets.nix | 1 + 5 files changed, 34 insertions(+), 12 deletions(-) create mode 100644 secrets/forgejo.age diff --git a/nixos/hosts/toscano/configuration.nix b/nixos/hosts/toscano/configuration.nix index d04bc70..d7028c5 100644 --- a/nixos/hosts/toscano/configuration.nix +++ b/nixos/hosts/toscano/configuration.nix @@ -1,4 +1,4 @@ -# NixOps configuration for toscano +# NixOS configuration for toscano # # https://en.wikipedia.org/wiki/Joseph_Toscano { @@ -9,15 +9,22 @@ }: { imports = [ ../../../networks/linode.nix - #../../../profiles/gitea.nix + ../../../profiles/forgejo.nix #../../../profiles/hakyll-skeleton.nix #../../../profiles/jfdic-web.nix #../../../profiles/resrok-web.nix #../../../profiles/tmateServer.nix #../../../profiles/voc-web.nix - #../../../secrets/gitea.nix ]; + age.secrets = { + forgejo = { + file = ../../../secrets/forgejo.age; + owner = "gitea"; + group = "gitea"; + }; + }; + deployment = { tags = ["infra"]; targetHost = "45.79.236.198"; diff --git a/outputs.nix b/outputs.nix index 6b6ba32..9c6d144 100644 --- a/outputs.nix +++ b/outputs.nix @@ -40,10 +40,10 @@ in { ragenix.nixosModules.default ]; }; - # The below lines are in the wrong place - #nixosConfigurations = import ./nixos/configurations.nix (inputs - # // { - # inherit inputs; - # }); }; + # The below lines are in the wrong place + #nixosConfigurations = import ./nixos/configurations.nix (inputs + # // { + # inherit inputs; + # }); } diff --git a/profiles/forgejo.nix b/profiles/forgejo.nix index 83e10c6..326e550 100644 --- a/profiles/forgejo.nix +++ b/profiles/forgejo.nix @@ -1,23 +1,26 @@ # NixOps configuration for the hosts running Forgejo { config, - inputs, pkgs, lib, ... - }: { +}: let + flake = builtins.getFlake (toString ../.); + nixpkgsUnstable = flake.inputs.nixpkgsUnstable; + forgejo = nixpkgsUnstable.legacyPackages."${pkgs.system}".forgejo; +in { services.gitea = { enable = true; # Enable Forgejo appName = "JFDI Collective: Forgejo Service"; # Give the site a name database = { type = "postgres"; # Database type - passwordFile = "/run/keys/gitea-dbpass"; # Where to find the password + passwordFile = config.age.secrets.forgejo.path; }; disableRegistration = true; domain = "source.jfdic.org"; # Domain name rootUrl = "https://source.jfdic.org/"; # Root web URL httpPort = 3002; # Provided unique port - package = inputs.nixpkgsUnstable.legacyPackages."${pkgs.system}".forgejo; # a soft fork of gitea + package = forgejo; # a soft fork of gitea settings = let docutils = pkgs.python37.withPackages (ps: with ps; [ diff --git a/secrets/forgejo.age b/secrets/forgejo.age new file mode 100644 index 0000000..7a5dfc2 --- /dev/null +++ b/secrets/forgejo.age @@ -0,0 +1,11 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFAvWjlQZyBzblFC +eUZrZEw3R24weVJ2TUw3QWZ6WDNYS1NDZVpGTktnakk4M2FnVEhFCjUxK1BucVBu +Vm52cXhyK1RyRFdTd2w1WU9NWDUranZTRkhzOHIwbXVHTlkKLT4gc3NoLWVkMjU1 +MTkgZjVUaEFnIERNWExUWk95Wk1udHYxWm1vKzAwR29kUC9JeUJoMVI3MUx3UmFG +aDFCakkKSitsbEtsVzQ5eDAzZ0VUOXIrUkNsSkFFRXJGbEUyVTZNKzcwcTBhWnYy +RQotPiBsbS1ncmVhc2UgLTwpJyAxTmtRMgp5OVpBSDh2azhrYjI1cmNjVmdKdlh0 +d2ZJZwotLS0gSGRZZ2k2ZDhqc3E1clBkOVZ4K3FjZUtGUG1XZ1ozVDRpZkd3ZkhG +d3ZuYwocfVjJedKaGHSUGZE2tTu5W47y68PW51+NdYxQOT65fyZD9/Vxi+7HiFqM +0xrmCMh3IsOvPa60vuY= +-----END AGE ENCRYPTED FILE----- diff --git a/secrets/secrets.nix b/secrets/secrets.nix index e62d72e..05d04e4 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -10,4 +10,5 @@ let in { "root.age".publicKeys = ops ++ systems; "fiscalvelvetpoet.age".publicKeys = [fiscalvelvetpoet] ++ systems; + "forgejo.age".publicKeys = [fiscalvelvetpoet toscano]; }